Data Security Starts With Identity
CIOReview
CIOREVIEW >> Data Security >>

Data Security Starts With Identity

Joshua Brown, VP and Global CISO, H&R Block
Joshua Brown, VP and Global CISO, H&R Block

Joshua Brown, VP and Global CISO, H&R Block

The latest Executive Order on improving US cybersecurity, followed by guidance from the federal Office of Management and Budget (OMB) on implementing Zero Trust Architecture (ZTA) has kicked marketing machines into high gear, giving us “Now with 100% MORE Zero Trust!!” labels on every product in sight. As security practitioners, it is time to separate hype from reality, and figure out how to operationalize the concept. Helpfully, NIST has released guidance in the form of a framework (SP 800-207) for designing and implementing ZTA.  One of the challenges for any business, however, is where to start.  This challenge, for most organizations, is not going to be addressed simply by purchasing new tools or platforms.  Our overarching objective remains data security, but data-centric security is not the right approach.  We need to start by taking a hard look at identity governance and administration.

To understand the central importance of identity for ZTA, it is useful review how conventional wisdom regarding network design changed in response to both the escalating tactics of adversaries as well as the needs of companies to incorporate mobility into how their organizations operate.  The traditional “castle and moat” model of corporate network has long been declared inadequate against modern threats, replaced in many cases with a lightly segmented network designed to compartmentalize data according to business unit or sensitivity.  The meteoric rise and commoditization of cloud services point to a future where the very concept of a centralized corporate network feels antiquated.  Finally, the global pandemic showed us that not only could many businesses function with a largely remote workforce—it has accelerated the transition to “do anything from anywhere on any device” with each individual user becoming a highly mobile micro perimeter.

“Organizations must standardize and automate how access is provisioned, including mechanisms that continuously validate access group membership against birthright and role-based access grants”

The user experience on a pre-Zero Trust Architecture network is akin to shopping in a grocery store.  If you meet the basic criteria for admittance, once inside you can see all your purchasing options and put anything into your cart.  When you go to check out, you *might* have an ID check if you are buying something that requires additional proof of age.  In contrast, the Zero Trust Architecture is more like exploring a pitch dark cave, where you can only see what is right in front of your flashlight.  To adapt this model to the grocery store analogy, if I need milk, and am authorized to access and buy milk, then ZTA says I should be able to access milk...and nothing else.  Getting that milk doesn’t entitle me to get some eggs or bread; in fact, I shouldn’t even see that those things exist!  Even if my identity has been compromised, the bad actor is only getting milk, and maybe not even that. Under Zero Trust, every identity claim is a remote claim, and validation is continuous; the model removes location as a criteria for identity validation, and thus for providing any inherent trust or access based on that data point in the identity claim.

Validating remote identity claims effectively is hard, and as perimeter defenses improved with time, attackers targeted the human element with devastating effect.  We’ve long relied on passwords as a proxy to prove that an individual is who they claim to be.  When passwords proved insufficient, we added additional factors like biometrics or tokens for additional proof (and to help guard against password-based attacks).  And that made sense in the context of a *remote* identity claim; but as more and more services moved outside the corporate network, we lacked a model that would allow us to centralize access governance while also recognizing that there was no longer a concept of being “on the network.”  To put it another way, every user became remote, and access needed to be controlled at the application layer rather than the network layer.

Organizations must standardize and automate how access is provisioned, including mechanisms that continuously validate access group membership against birthright and role-based access grants.  The concept of “always on” administrative accounts is replaced with just-in-time access provisioning.  And User and Entity Behavioral Analysis (UEBA) must be integrated with access provisioning so that anomalous activity (such as coming from a new device, or from a new location, or during an unusual time of day) is viewed as additional risk factors that must be met with increasingly rigorous challenges before identity is confirmed.  Only then, after positive authentication is completed, can authorization be granted; both must occur before a session is established between user and resource, and validation is continuous so authorization can be rescinded at any time.

The benefits of ZTA are numerous—it weakens the threat of ransomware by minimizing the possibility of lateral movement; it reduces the impact of breach by increasing the effort required for large scale data theft; it standardizes user experience in accessing resources and hardens the human element against social attacks; and it enables a model where work from anywhere is possible while also effectively managing risk.  But ZTA will also expose weaknesses in network and application design, and most of all identity access governance.  While the framework was designed to be deployed on existing infrastructure, it requires a reframing of the importance of identity as central to making decisions about access and authorization.  Protecting data is still the goal, but businesses must understand that success depends on getting identity and access governance right first.

Read Also

Advancing the Customer Experience

Advancing the Customer Experience

Lindsay Whitworth, Vice President, Global Consumer Direct at Sonos, Inc.
How to Build an Effective Content  Strategy  Others Will Envy

How to Build an Effective Content Strategy Others Will Envy

David Partain, Senior Vice President, Head of Marketing, Northern Trust
Opening New Doors Through Robust Technologies

Opening New Doors Through Robust Technologies

Uday Shetgeri, Executive Vice President Strategy and Architecture, Frost Bank
A Collaborative Approach to Wealth Management

A Collaborative Approach to Wealth Management

Amy Jansen, Vice President, Wealth Product Management, Johnson Financial Group
Three Ways to Align Your Security Roadmap to Business Objectives

Three Ways to Align Your Security Roadmap to Business Objectives

Noah Beddome, Chief Information Security Officer, Opendoor